The 2017 ‘Risk in Review’ study by PwC is not specific to risk management in telcos, and is too specific to the USA. However, a quick read allows us to contrast the key risk management messages being aimed at US executives with the way telcos manage risk around the world. Here are three takeaways that are worth highlighting.
1. Many businesses are moving risk to the front line, but not telcos
PwC repeat the same observation throughout their report: instead of just managing risk through a dedicated second-line team, businesses have more success if they move responsibility and decision-making to the front line.
Analysed year on year, our survey data shows a clear trend towards business unit and corporate executives taking the lead role by aligning ownership of key business risks with ownership of risk decision making.
In all, nearly two-thirds (63%) of our respondents said shifting more risk management responsibilities to the first line makes their companies more agile – this is, better at anticipating and mitigating risk events – and 46% have plans to further this shift within the next three years.
But perhaps you might find it hard to believe that telcos will improve risk management by shifting the responsibility towards their sales and customer service functions. That also fits with PwC’s data, which stated that technology, information, communications, entertainment and media firms were far less likely to be ‘front-liners’ than consumer, industrial, and financial firms.
2. Collaborative risk management benefits everyone
PwC make a strong argument for seeing risk management as a collective activity that works at every layer of the business.
First-line decision makers anticipate business risks, embed risk management in both strategic planning and tactical execution, and assign the right risks to be managed in the right places.
Second-line risk and compliance functions work collaboratively with the first line, providing checks and balances to optimise the risk management process.
Third-line internal audit objectively tests controls, and provides independent assurance, assessing first and second line risk activities.
This sounds a lot like the theories that propelled the original TMF RA Maturity Model, where the emphasis was on decentralization and transferring responsibility to operational units rather than trying to concentrate assurance work in a dedicated team. It also suggests that second line functions should seek a much more effective relationship with their colleagues in Internal Audit!
3. Chief Risk Officers are the norm
PwC does not say that big businesses should have a Chief Risk Officer (CRO). That is because they assume they already have one.
Even as companies are shifting risk management decision making towards corporate leadership and the business units, chief risk officers (CROs) are aiming to make their roles and functions more strategic.
PwC went on to state that 57 percent of CROs intend to increase their involvement in strategic planning during the next 18 months.
The perceived importance of the CRO was underlined by PwC when they stated his or her role is to enable…
…effecive risk management by promoting active monitoring, leading risk tolerance training, and coordinating with the CIO/CISO to manage cyberrisk organisation wide.
Contrast this ambition for CROs with our experience of risk management in telcos. We tend to focus on risk management at a much lower level, with the emphasis placed on catching specific operational errors. Perhaps that is because our most senior risk managers are expected to have an operational focus, and rarely communicate with c-level executives.
The study is not especially relevant to most telcos, but it does highlight that telcos may be falling behind in crucial areas. We know that we need a more integrated approach to risk management which connects operational details to strategic priorities. So far, most of us are bogged down in trying to make money from fixing detailed issues, and only a minority of telcos would think to appoint a CRO.
The complete PwC 2017 Risk in Review report can be downloaded from here.